In 2022, not a week went by without the announcement of a hack, stolen personal data, medical data, credentials, etc. So it’s only natural that in 2023, there will be a very strong focus on security. But security is not the only focus for enterprises this year…
In this post, we’ll explore how businesses can benefit from implementing the systems and technologies focused on security and sustainability: more comprehensive security measures, Zero Trust adoption to increase data security, systemic sustainability initiatives, Hyperautomation, and effective carbon credit trading.
Keep an eye out for the rest of the Tech Trends 2023 series: Web3, Enterprise, Data, Development & Infrastructure, and a few other topics worth following. Enjoy!
More real security measures
The security landscape of 2023 is a world away from the security theatre we all witnessed in previous years. Systemic security initiatives are at the forefront, with businesses and governments alike recognising that security should be an integral part of any system or network to protect data confidentiality, integrity, and availability.
A comprehensive approach to security
The security landscape of 2023 calls for companies to identify their risk appetite based on applicable regulations, standards, and policies to adequately protect the data privacy of customers and employees. To do this effectively, they need to assess the various security risks that may come with their products, services or networks.
Organisations must design a comprehensive security strategy that can effectively protect their valuable assets and address their specific business risks and compliance requirements concerning cybersecurity. This strategy should include the following:
-
The development of OKRs,
-
Policies and programs that measure the effectiveness of the security controls being implemented,
-
Streamlining and automation wherever possible,
-
Administrative controls such as user & developer training, regular access & permissions review, continuous risk management etc.
We expect a more systemic, integrated approach to security. Instead of delegating security responsibilities to a single group (the “Security Team”), all stakeholders need to be involved from the beginning to provide a safe product for the end users. All stakeholders must understand what security is – being aware of the risks, whether the risks are acceptable or not, the implications, and the company’s regulatory security framework. Security needs to be included in the scope and budget of all application development as a high priority instead of being relegated to the far end of the project.
Enterprises now understand that shifting the blame to third parties or vendors will not remove their responsibilities towards their customers. So, it’s evolving from asking “who’s to blame?” to asking how it happened and how to fix it. More importantly, companies should assess what needs to be done to prevent similar incidents from happening. As such, we expect more scrutiny when choosing vendors, service providers, and SaaS applications and when validating provided services.
For instance, it would be a good practice to first define the security framework (including tools and acceptable level of risk) for your enterprise and then ensure that the provided code or service abides by these rules. Examples of this include static code analysis or open-source software vulnerability checks.
Enhancing security with the right tools and training
Gone is the time of firewalls being paramount to security! With 80% of breaches occurring at the application level, it's evident that a coordinated, almost symbiotic relationship between design, development, architecture, infrastructure and support or SRE teams is critical.
Tools need to be deployed and used correctly to support all of this. This is one of the main issues we've seen with security software. Instead of having a dozen security tools that aren’t properly used or maintained, reducing the number of tools and ensuring complete adoption from the end users is a must. The good news is that with the help of AI, these tools are becoming more intelligent and more user-friendly. But you won't be able to avoid proper training with your teams.
Maturing DevSecOps practices requires mandatory automated security testing such as SCA (dependencies), SAST (code) and DAST (runtime). In addition to automated vulnerability testing and alerting, hyper-automation for security fixes demonstrates the next level of maturity and a relatively novel approach to security. Using a set of rules and a bit of AI magic, these tests propose solutions to known issues and can fix the code or dependency tree for you.
One of the examples of actioning Software Composition Analysis results is GitHub’s Dependabot which discovers vulnerabilities in a project’s dependencies and automatically raises pull requests that contain recommended fixes. For the assisted resolution of SAST findings (code security quality), there are multiple options to choose from Sonar, Synopsys and several other AppSec leaders.
As before, the fixes need to be reviewed by developers and the functionality tested - but it’s an excellent help for faster security fixes. It also alleviates a well-known issue of vulnerability alert fatigue that slows down development teams or leaves some vulnerabilities unattended. Considering that more than 80% of source code in projects is based on Open Source – security automation adds much value by allowing development teams to sustain high velocity.
Mitigating shadow IT risks in 2023
Another area where breaches have occurred is shadow IT – software and SaaS that are not really forbidden but not really approved either, and thus not tracked or vetted correctly. It is very common to see it as a reaction to the slow pace of digital transformation when business units explore ways to create value by bypassing traditional IT governance and controls. Some companies subject to ISO/IEC 27001 compliance and/or SOC-2 audits tightly restrict this through rigid security policies. Other companies that give the latitude to business units to experiment need to be wary of the need to manage associated security risks.
A company data handling policy is an effective way for companies to make shadow IT more manageable. This approach requires identifying Data Owners (senior leaders of business units) who are responsible for classifying their data using an internal data classification framework - typically with four levels ranging from public to confidential. In addition, businesses should appoint Data Custodians within each business unit who will understand the risk and manage shadow IT.
Storage and collaboration services (cloud storage, online version control systems, whiteboarding collaboration tools and other SaaS services) were responsible for some of the breaches last year when confidential or internal data was used to abuse internal systems or run advanced spear-phishing campaigns. Their inventory, vetting and clear usage guides will likely need to be developed in 2023.
Finally, all of those above will take time, and if you are like most enterprises today, you may have noticed that your security teams are tired, overworked, worried, and struggling to keep up with all the movement in this area. So, help them to help you by ensuring that the development and business teams do not shrug off their worries and warnings. In the end, they are there to protect your company and its users.
Increased adoption of Zero Trust
Did you know that 2024 will mark the 30th year of Zero Trust? It was coined in 1994 by Paul Marsh in his doctoral thesis. Where are we now?
What is Zero Trust and why is it important?
Zero Trust has been slowly gaining prominence as companies adopt more cloud and SaaS solutions, and perimeter security is not sufficient anymore. Zero Trust helps organisations mitigate cyber risks associated with trust-based security perimeter approaches by adopting data-focused protection approaches in conjunction with a “never trust; always verify; least privilege; assume breach” mindset. It requires all requests between systems and applications to pass authentication, authorisation and encryption checks before gaining access. Zero Trust approaches dramatically reduce the risk of an attacker’s ability to move laterally if one system or application is breached.
It is expected that Zero Trust adoption will only continue to grow in 2023. As a result, companies of all sizes need to consider making a Zero Trust approach their default approach in implementing a cybersecurity strategy to protect their digital assets. Furthermore, Zero Trust is required to develop an enterprise-wide service- or data- mesh.
As Zero Trust emphasises the importance of preventive controls, it also pinpoints the crucial role of detective controls, such as analysing every transaction context. This may require significant changes to the designs and implementations of applications and services to achieve the necessary level of security and observability as one of the Zero Trust objectives.
Improving data security
Organisations that grow their Zero Trust maturity level will take advantage of improved data security, dramatically reducing the risk of data breaches and enhancing compliance with cybersecurity standards. Microsoft’s Zero Trust maturity model offers a roadmap and recommendations for companies that aspire to start or assess their progress with the Zero Trust journey.
However, going all-in with Zero Trust is a complex undertaking. It requires a staged approach and a good understanding of digital assets and platforms that store and process them. As this approach is based on putting data protection at the centre of Cybersecurity strategy, a good starting point would be the full assessment of data and identification of data owners, data custodians, and platforms that provide access to this data. Zero Trust approach is like any other security approach – it requires controls to mitigate security risks and relies on a security baseline to analyse if sufficient controls have been implemented and how effective they are.
In 2022, one might have wondered, “who has access to my data?”. In 2023, the question should be, “what has access to my data?” as well. As we rely more and more on programmatic access between systems (APIs), ensuring that you have a complete view of your systems and their internal controls for protecting the handled data should be a number one business priority. Today, business leaders clearly understand that increasingly high cybersecurity risk is a business problem, and Zero Trust might be the right solution.
Three steps towards Zero Trust maturity
There are no out-of-the-box solutions to buy Zero Trust off-the-shelf. However, there are three clear levels of maturity that organisations can follow up on to reduce the risk of data breaches to acceptable levels.
- First, introduce these three elements: consolidated, centralised identity management (ideally with Multi-Factor Authentication (MFA) and single sign-on where possible), visibility into logins and actions (audit trails), and segmentation.
- The second level is more advanced and would require you to look at how your organisation performs real-time risk analytics (SIEM), API request authentication/authorisation between systems based on Zero Trust principles, event correlation and anomaly detection, vulnerability analysis and mitigation.
- The third, most optimal and highest security maturity level is achieved when you dynamically enforce security policies across all systems and applications. Your environment is protected with automated threat detection and response; you analyse security levels and drive optimisation and improvements based on actionable insights.
In 2023, we expect more organisations to focus on activities related to driving their Zero Trust security maturity. With human activities reducing on the web (you will find that the number of non-human activities on the web ranges from 40 to 65%) and with a growing proportion of bad bots (roughly twice the number of good bots), it's evident that there's an increasing amount of work to keep data safe.
As Zero Trust adoption continues to grow in 2023, enterprises must be prepared for the shift away from perimeter security towards cloud services and application security. To ensure their data is secure against emerging threats, companies need to consider Zero Trust as part of their cybersecurity strategy. However, while Zero Trust brings many advantages, it may become increasingly difficult to implement without well-planned changes to existing systems architecture and design that were not built to support Zero Trust principles.
To devise a Zero Trust strategy and its OKRs, business and technology leaders might consider getting help from external advisors (professional software developing consultancies and cloud solution practices) to establish a holistic view of their business risks that can be mitigated through the adoption of Zero Trust. An external point of view will help you discover interconnections between existing systems, including line-of-business applications. This will help you prepare an independent, comprehensive plan for implementing controls required for the successful execution of a Zero Trust strategy. Doing so will ensure organisations stay on top of cybersecurity threats in 2023 and lay the foundation for security and privacy challenges that may arise in 2024-2025.
Systemic sustainability
The past decade has been a time of significant change and growth regarding sustainability. Companies have put in place policies, procedures, and strategies designed to reduce their environmental impact — but often, these initiatives are implemented on an ad-hoc basis without any consideration for how they will interact with one another or affect the organisation as a whole.
Harnessing systems thinking and data insights for sustainability
As we move into 2023, it is clear that this approach will not be enough anymore. Sustainability demands that companies take a systemic view of their operations: understanding the interconnectedness between different areas and departments within the business, third-party software, and vendors, and accounting for each individual's contribution towards reducing emissions and increasing efficiency.
Systems thinking can help enterprises integrate sustainability into every aspect of their activities and ensure that a gain on one part does not result in a loss on another.
Furthermore, it's essential to look at this effort honestly and factually without relying on hearsay, unsubstantiated opinions, and outdated data. Sustainability efforts must be backed with research, evidence, and valid metrics for companies to truly understand their impact on the environment and make meaningful decisions to improve it.
As such, we are expecting a lot more involvement from data scientists and engineers in this domain. Real, accurate, in-depth data needs to be retrieved and assessed regularly, far beyond the current considerations of the regulatory bodies.
ESG footprints: beyond carbon emissions
Beyond carbon emissions, Environmental, Social and Governance (ESG) also touch on the company's impact on the world. Ensuring vendors, for instance, have a mindset like yours is critical. Your customers demand that your employees' and your sub-contractors' employees' rights are respected and that you can prove it. Technologies can be deployed for this, like self-sovereign identity (to validate sub-contractors’ employee’s contracts and documentation, for instance) or accurate mental health help.
Systemic sustainability needs to be part of the daily agenda for companies in 2023, with an encompassing view that looks beyond the immediate impact of particular initiatives. By combining systems thinking with accurate data and reliable analysis, enterprises can ensure that they are taking a holistic approach to sustainability — one that will help them change their ESG footprint for the better in the long term. To dig further, check out our key takeaways on executing on ESG from the WEF Sustainable Development Impact Summit.
Hyperautomation at all levels
If you haven't heard about Hyperautomation yet, it's time to get with the program. In short, Hyperautomation is the concept of mixing humans and machines to make decisions faster, reduce toiling, and improve efficiency. Sound a bit dystopian? Never fear. There's no plan to implement Borg-like cybernetic components in your brain (…yet). The main idea here is to automate manual tasks and use technology for what it's very good at – repetitive processes, crunching vast amounts of data – and humans for what they are best at – making decisions and being creative.
Prepare for the Hyperautomation revolution
Hyperautomation is set to be one of the most influential technologies of 2023, with AI playing a pivotal role in its success. Driven by advancements in natural language processing, GPT (Generative Pre-trained Transformer – we'll talk about that in a minute), and powerful zero- or low-code platforms, Hyperautomation is expected to explode on the scene this year. So, if your business isn't already on board with Hyperautomation, now's the time to jump in and join the revolution!
Low- and No-code platforms are extremely useful. They abstract the complexity of development, security, and testing and focus on providing non-tech people with a way to create new software.
One of the best features of these platforms is extendibility: you can create new components for your users or link them to another API outside of the platform. This means that you could give access to very powerful systems (AI, Machine learning, computer vision) to almost anyone in your company for the purpose of automating their business without worrying too much about security and data access, as this is handled at the platform level.
What it means for businesses is that you can create applications and workflows and automate processes without the need for a dedicated IT team and get things running immediately. The great thing is that they are relatively easy to adopt – if you can write a rule in Outlook, you can build a no-code workflow.
Of course, the best software development practices, such as versioning and testing in a test environment, remain. Therefore, your users should be trained on these platforms and the best practices to implement before gaining full access to them.
Nevertheless, it's coming, and Hyperautomation is ready to revolutionise the workplace of 2023.
More effective carbon credit trading
The carbon credit market is set to become even more significant in 2023. With increasing emphasis on carbon emission reduction, carbon credits allow organisations to trade carbon emissions and help them meet their carbon objectives. It’s easy to understand why carbon trading has become so popular – not only does it provide a financial incentive for reducing emissions, but trading carbon credits makes it easier for organisations to manage, validate and exchange carbon credits.
On the other side of the equation, carbon credit purchases can finance projects that can make a difference, not only for the carbon sequestration itself, but also for the local communities in developing countries where jobs are created to develop, audit, and administer the projects.
Expect more focus on project quality and values
Not all carbon credit projects are created equal. Outstanding projects exist alongside lower-quality ones. But throwing out the entire carbon credit industry because of a few bad actors would be like throwing away the whole banking system because loan sharks exist – it's depriving ourselves of a handy tool. Better audits need to be made for better, higher-quality projects. Registries (Verra, Gold standard, etc.) have their role to play in this, and so do carbon credit exchanges and brokers. Compliance requirements are already in place for legal carbon offsetting, but not for voluntary ones (like the ones used in PR by many companies today). Lawmakers will likely do more this year to sort the wheat from the chaff.
In 2023 and subsequent years, we expect better clarity in projects and a deeper alignment of goals to company values: rather than simply purchasing the cheapest "tCo2 carbon offset", companies will have options to compare projects on their positive collateral effect. We're expecting then that the selection of the projects will depend not only on price, but also location and ESG aspects.
Futures and options on carbon credits will be needed as well. It's excellent news for projects, as it will provide funding for upcoming developments. The side effect would be the resale of unused carbon credit later.
Trading in carbon credits takes work. Even though we usually compare it to the existing commodity market, it is a new asset class that requires specific, different tools and knowledge. Existing trading platforms and activities (including middle and back office) will need to be modified to include carbon credits and carbon-related assets and their specificities.
To prepare for this, it's essential to define a company-wide policy on carbon credit: ensure that the projects you finance (indirectly or not) align with your vision and values. Determine the way you would like to play a role in this new market, why it's being done, and how the activities will need to be modified with the help of people familiar with the project’s area. Getting more involved in selecting the credits you get will also have the positive effect of warding off "carbon sharks" and their dodgy projects.
As carbon credit trading is growing in importance, it's essential that companies are prepared to make the most of carbon credits and carbon-related assets. The carbon credit market of 2023 looks set to be a complicated and exciting place, full of opportunities for those with the proper knowledge and resources.
Stay tuned for part 3 of our Tech Trends 2023 series – data, undoubtedly an important topic. If this article got you thinking about how you can improve your company’s cybersecurity or change your ESG footprint, reach out to us and see how we can help!
Contributors: Leo Arkhipov, Kevin Aubry, Michael Biallas, Ian Carter, Dominic Eales, Leonardo Diaz Deramond, Kevin Lawrence, Faisal Ramay, Yudesh Soobrayan, Dan Wheaton
